Slashdot Mirror
Microsoft Hops On Two-Factor Authentication Bandwagon
itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."
Will I not be able to pirate Win8.1?
Given that cell phones are as much a part of your everyday carry as a wallet and keys, you would be screwed anyway if someone stole your phone.
This isn't really two-factor auth. If someone steal your phone, you are screwed.
Something you Know (password).
Something you Have (phone).
Something you Are (doesn't do this yet).
Sounds like it's meeting 2 different factors of authentication to me.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
windows live (PC gaming). Xbox gaming. Hotmail.
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
This meets 2 of those factors, a password (know), and your phone (have).
Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
when i can have Bills, Balmers, Larry, Sergei and the rest of the executives
maybe someone should start a website with this information, if you have nothing to hide..........
Go get a free Google Voice number that you only use to receive the text messages on.
The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
Go get a free Google Voice number that you only use to receive the text messages on.
From the signup page:
What alternative to Google Voice do you recommend for people outside the United States?
Yes. Microsoft, who hires thousands of the best developers including elite Ph.D researchers and pays them large sums of money doesn't know what two factor authentication is.
You cracked the case, Murder She Wrote.
I have one for downloading apps onto my Windows Phone.
I don't respond to AC's.
Google added the USB-dongle called the YubiKey, which is "something you have" that can squirt a code for a second factor. I prefer not using my phone number either. There are other OpenID solutions possible as well-- that are datum-based, rather then some other ID field that ought not to be distributed.
---- Teach Peace. It's Cheaper Than War.
Unless you're a [insert company name] developer, what would anyone want a "[insert company name] account" for?
I still wouldn't mind so much here - the number of people that can access the account is restricted to exactly 1 since only one person can possess the phone at any given time. Unless someone wants to sit there and field passcodes to everyone that wants to hack the account, but this would be painfully slow.
Besides the carrier would reissue the phone and disconnect the old one with good ID and it's fairly easy to prove that you're paying the phone bill anyway.
If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.
Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.
Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
Skype, Hotmail, Live properties, Xbox Live, Messenger, Windows 8 users with linked accounts, Skydrive ...
Microsoft has more individuals with accounts than anyone else, by far.
You may not have one (although, even if you were 100% Linux, unless you've never used Skype, you do have one), but virtually every other person with a computer does.
I just set it up. You can also receive the code via a phone call.
The article refers to it as "two-step" not two factor. The title and summary says it is two factor.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Authorized computers don't need extra verification and they'll probably have the printable one-time-code pads, like google. Nothing keeps you from using any RFC 6238 passcode generator, like those on this list, on a second device (as you can see there's plenty to choose from) - it's just a matter of inserting the same code in all your generators.
Microsoft Accounts have supported two factor authentication for "sensitive" actions for quite a while -- adding trusted PCs, changing billing methods, resetting passwords, etc ...
Two things new with this:
- The ability to set the account to require it at login for normal authentications
- The ability to use 3rd party token applications (like Google Authenticator) for the tokens, instead of SMS.
windows live (PC gaming). Xbox gaming. Hotmail.
Steam, Battle.net, Gmail.
Both Steam (for Valve and those who publish through Valve) and Battle.net (for Blizzard) are primarily for games in mouse and keyboard genres, as I understand it. Other than Xbox Live, what service caters to gamepad gamers?
I don't want to log-on with a country dance...
http://www.youtube.com/watch?v=asNHCGYb9AA
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Hotmail/Outlook webmail, Xbox Live, Windows 8 sync features, SkyDrive, Office 365, Messenger/Skype, MSDN/Technet, online Microsoft store, and I'm sure there's a few more obscure things.
yep and pretty sure MS don't write the Slashdot summaries around here. The retarded monkeys that translate them into the clickbait that is acceptable here are kept in a cage in the far corner.
What alternative to Google Voice do you recommend for people outside the United States?
Baidu Voice! But all calls are screened to make sure you only say nice things about the Chairman.
Help fight poverty: Punch a poor person.
It is 2 factor authentication.
The 3 authentication factors are:
Something you Know.
Something you Have.
Something you Are.
And a fanatical devotion to the Pope- Four! Four authentication factors!
systemd is Roko's Basilisk.
Quite right too. Lovely chap.
systemd is Roko's Basilisk.
I suspect they understand what two-factor authentication is quite well, and that is the reason that their label for what they are doing is "two-step authentication", which is only confusingly similar to "two-factor authentication". They very carefully do not actually call it "two-factor authentication".
I certainly didn't expect a spanish inquisition joke.
30 buck Nokia with pre-paid SIM? Where do you live that you can't afford a basic cell phone?
Besides, you can generate the required codes:
http://en.wikipedia.org/wiki/Google_Authenticator - available for nearly every modern computing device.
I wouldn't want to play Mega Man or Metroid with a keyboard and a mouse.
Get free satoshi (Bitcoin) and Dogecoins
All of these authentication measures seem to want my cell phone.
I don't have onr, and you can phone me when Hades freezes over.
-- Tigger warning: This post may contain tiggers! --
a normal privacy-free human being.
FTFY.
Google also has the "Google Authenticator", which DropBox also uses. It's free, open-source, and multi-platform. It would have been nice if they had it as an option, as it works quite well (nice for SSH as well).
You're thinking of Google.
Microsoft is surprisingly good about privacy. I'm not sure if it's part of MS's culture, or a side-effect of their loss of market leadership. Either way, I find MS to be quite trustworthy with regards to privacy.
MS can be fairly competent when they aren't a monopoly and can't bully others around.
Time to upgrade to a real control scheme then.
Or, you know, not limit yourself out of silly fanboyism.
I don't think you understand the question. He means, why would anyone want to use a product that he doesn't use?
He doesn't use those things, ergo no one else should either. It's the Slashdot way.
"The chief form of secondary authentication will be a short code sent to the user's mobile phone"
Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?
So? If you don't have something, you can't use it. This is simple. You constantly seem to think that because something costs money, it's useless because there exists somewhere a person who can't afford it.
How does that make any sense? What product in the world lives up to that criticism?
Why constantly feel the need to knock things down that add value to the world? If you don't have a cell phone, you can't use this, but that it exists means that the billions of people that do have a cell phone can. The cell-less lose nothing, and those with cells gain. What is wrong with that?
Such negativity, how horribly unnecessary and pointless!
"Scroogled" is just silly marketing. I'm talking about actual privacy. Google tracks and *STORES* everything you do on the internet that touches a Google server. MS does not. That's because that's Google's business model.
And Google is caught, constantly, repeatedly, and without remorse, doing bad things with people's private data.
But, no, MS follows the laws of other countries? OMYGOD! Guess what: Google does as well. They have to. It's (duh) the law.
2 -- something new,
3 -- something borrowed,
4 -- something blue,
Wait, isn't that what we were talking about?
Because Google gives out geek toys and speaks nerd.
Which would be wonderfully fantastic, if it wasn't a trojan horse.
Surprise and an almost fanatical...oh, we've already done that.
To have a right to do a thing is not at all the same as to be right in doing it
Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
Yes, and the Amish don't watch porn on the internet.
There are always exceptions to any rule when it comes to human beings.
To have a right to do a thing is not at all the same as to be right in doing it
Yes, I think we know that there are alternatives to Microsoft. The original question was why would you want to use a Microsoft account. It's self evident that it would be for Microsoft services.
To have a right to do a thing is not at all the same as to be right in doing it
I have one for downloading apps onto my Windows Phone.
I'm pretty sure that's illegal in slashdot-world.
To have a right to do a thing is not at all the same as to be right in doing it
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You can use Google's authenticator app or Microsoft's authenticator app. This was a typical poorly written summary on Slashdot. Anything MS does that is remotely positive was be half reported or not reported at all. http://arstechnica.com/security/2013/04/microsoft-rolls-out-standards-compliant-two-factor-authentication/
True, the 8- and 16-bit titles in the Mega Man and Metroid series are probably better played with a gamepad than with a pointing device. But pointing device advocates would claim that the play style of these older games is a relic of the past, and series need to evolve to keep up with changing play styles implied by higher-resolution input devices. For example, a pointing device would have helped third-person shooters like Mega Man Legends and first-person shooters like Metroid Prime series. In fact, Nintendo made Metroid Prime 3 for its Wii Remote pointing device and remade several games for the Wii Remote for its "New Play Control" line, including a 3-pack of the Metroid Prime series. You can help keep your argument relevant by explaining how controller-friendly play styles aren't a relic.
I don't think very many genres benefit from having controller support
In light of someone's recent post about what he perceives to be the reality of the video game market, I've been doing a bit of research into what makes a game better with a controller than with a pointing device. Any game where the player controls one character on the screen that moves and jumps would benefit from a gamepad. Platformers and fighting games are the big ones, and I'm not sure how well the Zelda games for DS worked with pointing-device-only control.
if the game supports a controller on the xbox/ps3 then it probably does on the PC as well.
Mortal Kombat (2011) doesn't support a controller on the PC because it isn't made for PC. If a game is on Xbox 360 but the publisher has declined to port it to the PC, you need a Microsoft account and an Xbox Live Gold subscription to play online.
If you don't have a cell phone, you can't use this
As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.
pre-paid SIM
Each U.S. carrier that I've looked at will expire the balance on a prepaid mobile phone account if the user doesn't top up regularly. And in the United States, the receiver pays 20 cents to receive a text message unless the receiver is on a monthly unlimited texting plan. Having to pay the carrier a dollar every five times I log in to anything that uses a Microsoft account could add up quickly.
Why not? How is the Wii-mote any different than a mouse? And the keys on the Wii-mote are pretty much like a keyboard. The newer editions of Metroid have you aiming by pointing the Wii-mote, this is not much different than any other FPS on the computer. It would be much easier to use a keyboard/mouse than the Wii controllers.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Oh, now, that's simply not true. Google may not feel any remorse about what they've been caught doing, sure, but they clearly feel great remorse over being constantly and repeatedly caught.
William Shatner? Or the Japanese guy?
Unless you don't have a phone lock password, in which case you are explicitly stating that you don't give a shit about security at all...
I guess you didn't read the GP post or the article summary. He wasn't talking about M$ providing one of the two factors and a third party offering the other, in which case it isn't Microsoft offering two factor auth now, is it? It is more like Microsoft relies on Google/Apple for second factor.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I was obviously referring to Metroid and Super Metroid. Trying to play Metroid Prime with a gamepad like the ones on the PS3 or the Xbox360 would be a nightmare.
Get free satoshi (Bitcoin) and Dogecoins
Anyone who considers 2-D games "relic"
It's not that games with 2D graphics are "relics". It's that gamepads are allegedly "relics". The most popular mobile gaming platforms today are iOS and Android, and those ship with a capacitive multitouch screen. A lot of popular touch-oriented games, such as Angry Birds series, use 2D graphics. So do plenty of mouse-driven Flash games on Newgrounds. Other than 2D platformers and fighting games, whose popularity compared to other genres has waned, what genres really need a gamepad?
isn't worth arguing with.
Yet pointing device advocates keep arguing for pointing devices, and they occasionally get moderated up. So it's best to have a counterargument ready instead of just an ad hominem.
First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
The first rule of good password use is that you don't write it down or store it anywhere. If you store your password on your phone then YOU are sacrificing some security in exchange for convenience. The exact same things happens if a user writes their password on the back of a physical SecuID token, yet those tokens are considered part of a 2 factor system. In any security system the users are the weakest part. Even 2-factor systems can be broken by the bad practices of the users.
It's a trade-off between either the extra security of two-factor authentication, or the convenience of linking more than one account to be able to switch between them with ease. Why can't Microsoft follow Google's lead and give us the ability to both log in securely and stay logged in to multiple accounts at the same time? It's irritating enough to have to log out and then log back in with the other username/password, and the "stay logged in" check box is fucking useless when you have to log out every god damn day anyway to check something on your other account.
Your post has nothing to do with the actual conversation.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Your post has nothing to do with the actual conversation.
Ok, please tell me which of the following statements are wrong and why.
1. This system requires the user to enter a password. .This system can be configured to require the user to enter a code sent via SMS to the user's phone.
2
3. A password is an authentication factor.
4. Physical access to an object is an authentication factor.
5. 1 + 1 = 2
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
#5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
No it isn't. I don't store my microsoft password on my phone. My microsoft password exists only in my head, as properly used password should. Just because YOU CHOOSE to store your password on the same device as your token does not mean that it isn't 2-factor authentication. It sounds like you are using 2 factor authentication wrong, not microsoft.
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
I see the problem now. You are assuming that everyone who has a microsoft account uses for email and checks it from their phone. I only use my microsoft account to access MSDN and MSN Messenger from my desktop, it isn't linked to any email or on my phone at all. In my case their solution works perfectly as 2 factor authentication as the phone is completely separate from the password.
You have the issue inverted. The fact that people use their phone for email means Microsoft has to address that (most common) use case. Your corner case is exactly that. Most people use their smartphone for email. A solution that breaks functionality, especially functionality used by the majority, is not a solution.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The fact that my case exists at all and counts as 2 factor authentication means than microsoft has ACTUALLY created 2 factor authentication. How many people do you know who have microsoft email addresses? I'm betting that my type of usage isn't all that uncommon.
""With this release you can choose to protect your entire account with two-step verification, regardless of what service, or device, you are using with your Microsoft account," says Eric Doerr, a Microsoft group program manager. "It's your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we've worked hard to make set-up really easy." "
;-)
...
I didn't say they didn't implement it. It is merely that they have broken functionality. You get to choose between using it, and not having a partially broken system. It is a typical Microsoft "solution" in that regard, of course
Now off you go
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun